Yahoo DNS Abuse

Am I the only one having a problem with Yahoo DNS servers bombarding our server with type 99 (SPF) requests. The maximum number of requests received one day last week was 55,987, but it looks like today may set a new record.

J.A. Coutts

Could be people spoofing sending mail from your domain and yahoo's servers just doing the proper procedure for spf enforcing. You can try setting the TTL for the TXT/SPF statement higher. It may cut back on the queries (unless they do a lookup per email coming in). Probably better to have SPF queries coming in than spammers getting your domain blacklisted.

Or it could be someone just using their servers will ill intent. Are the servers querying you open to recursion?

Servers used are:
67.195.128.48-51
68.142.209.135-138
68.142.209.143-146
68.142.209.151-158
72.30.192.150-155
72.30.192.164-171
74.6.109.17-20
74.6.109.24-27
98.139.193.152-159
I assume these are internal servers, as they do not respond to port 53. Part of the problem is that Yahoo does not check for TXT records, and our DNS does not support type 99 requests. It just rotates through the round robin servers asking the same question several times. I have blocked most of the servers, but it hasn't slowed the onslaught. Yahoo just ignores all my abuse complaints.

J.A. Coutts

New record established yesterday.

67.195.128.48-51 8,395
68.142.209.135-138 2,522
68.142.209.143-146 28,083
68.142.209.151-158 5,895
72.30.192.150-155 0
72.30.192.164-171 11,278
74.6.109.17-20 3,960
74.6.109.24-27 4,225
98.139.193.152-159 14,248
------------------ -------
Total 78,606

Still no response from Yahoo, even though I have a problem number.

J.A. Coutts

Yeah that seems pretty sketchy. I guess there isn't much you can do except wait or block IP's. I only have a very small test domain I can check queries on and I don't get that. So not sure on this one.

Yesterday, our DNS server received 88,715 requests (97% of all requests) from Yahoo, and I have had absolutely zero non-automated response from Yahoo. The volume is so high that it is starting to flood the NAT table in our router.

Yahoo appears to be using SPF to delay incoming mail delivery. Our Pseudo SMTP server (which rejects all incoming messages with a 550 error), recorded 88 attempts from various Yahoo mail servers to send a message to very obviously random generated email addresses in our domain. The DNS queries seem highly disproportionate to the rejection messages sent

Does anyone know if Yahoo uses a Domain Name Block List such as the Spamhaus DBL? I am getting desperate.

J.A. Coutts

I have no idea why, but for the last 7 days the bombardment has ceased. Not only that, but there have been zero requests for type 99 or TXT records from anywhere.

Anyone have any idea what is going on? Has Yahoo abandoned their SPF attempts?

J.A. Coutts